Client VPN Endpoint Mutual Authentication - Client Certificte arn expiring soon

0

We use mutual authentication to connect to our client VPN endpoint. How would we handle updating the client certificate arn for a client VPN endpoint? Can that Client Certificate arn only be set when first created and not be updated? Does that client certificate arn only need to include the ca.crt that was used to create the server/client certs? My server certificate was expiring soon, so I followed the recommend steps to renew (using easyrsa) and upload to ACM. I then modified the VPN endpoints using the expiring certificate as their server certificate arn, attaching the renewed server certificate as it's new server certificate arn. Our connection is still working, but the endpoint's details tab lists the arn in ACM holding the old server certificate that is expiring soon, as the Client Certificate arn for that endpoint. I'm not seeing anywhere to update the client certificate arn when I select Modify Client VPN Endpoint, so I suspect that may need to be done through the CLI. The client certificates on the end user's machines and the renewed (and expiring) server certificates are all issued by the same CA, so hoping it won't stop working after the original server certificate expires. The ca.crt isn't set to expire for several years. The arn in ACM that has the expiring server cert (as well as the renewed server cert currently being used as the server certificate arn for the endpoint) include the cert, key and ca.crt, so hoping it might still work despite the certificate expiring soon. The ca.crt doesn't expire soon, but the old server.crt and .key does. Otherwise, if the client certificate arn having a ca.crt that isn't expiring, but a .crt/.key that is expiring could cause an issue, I believe I would need to figure out how to adjust the Client certificate arn for that endpoint to reference the ca.crt that issued all the client certificates and the server certificate.

1 Answer
0

In the AWS Client VPN once the endpoint is created there is no way to change the Client Certificate ARN. However, you can replace the Client certificate using the same ACM ARM referring the steps detailed in link [1].

AWS Certificate Manager can support the re-import feature. The ARN of the certificate will not change and the newly imported certificate will be automatically deployed to the associated resources. However, during the reimport process we have some restrictions on old and new certificate.

  • You can add or remove domain names.
  • You cannot remove all of the domain names from a certificate.
  • If Key Usage extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values.
  • If Extended Key Usage extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values.
  • The key type and size cannot be changed.
  • You cannot apply resource tags when reimporting a certificate.

However, there is no restriction that your Issuer must be the same CA, so even if the CA is changed, you still can perform reimport as long as the above conditions are met.

Afterwards, you can re-download the configuration file and add the client certificate and key for the users to be able to connect to the endpoint again.

To download and prepare the Client VPN endpoint configuration file

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. In the navigation pane, choose Client VPN Endpoints.
  3. Select the Client VPN endpoint that you created for this tutorial, and choose Download client configuration.
  4. Locate the client certificate and key that were generated. The client certificate and key can be found in the following locations in the cloned OpenVPN easy-rsa repo:
  • Client certificate — easy-rsa/easyrsa3/pki/issued/client1.domain.tld.crt
  • Client key — easy-rsa/easyrsa3/pki/private/client1.domain.tld.key
  1. Open the Client VPN endpoint configuration file using your preferred text editor. Add <cert></cert> and <key></key> tags to the file. Place the contents of the client certificate and the contents of the private key between the corresponding tags, as such:

     <cert>
    Contents of client certificate (.crt) file
     </cert>
    
    <key>
    Contents of private key (.key) file
    </key>
    
  2. Locate the line that specifies the Client VPN endpoint DNS name, and prepend a random string to it so that the format is random_string.displayed_DNS_name. For example:

  • Original DNS name: cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com
  • Modified DNS name: asdfa.cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com
  1. Save and close the Client VPN endpoint configuration file.

Also, make sure that the users have added the profile with the new OVPN configuration file.

References:

[1] Reimporting a certificate - https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html

[2] Download the Client VPN endpoint configuration file - https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html#cvpn-getting-started-config

AWS
SUPPORT ENGINEER
Babar
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions